From 6155a267d399d111706c4496c3877e216936c3b2 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 7 Sep 2018 22:26:21 +0200

Subject: [PATCH 19/19] intg: add Smartcard authentication tests

Two test for Smartcard authentication of a local user, i.e. a user

managed by the files provider, are added. One for a successful

authentication, the other for a failed authentication with a wrong PIN.

Related to https://pagure.io/SSSD/sssd/issue/3500

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit 657f3b89bca9adfb13f0867c91f1d76845d2d6dd)

---

 configure.ac                         |   1 +

 contrib/ci/deps.sh                   |   2 +

 contrib/sssd.spec.in                 |   1 +

 src/external/cwrap.m4                |   5 ++

 src/external/intgcheck.m4            |   1 +

 src/tests/intg/Makefile.am           |  24 ++++++-

 src/tests/intg/test_pam_responder.py | 131 ++++++++++++++++++++++++++++++++---

 7 files changed, 155 insertions(+), 10 deletions(-)

diff --git a/configure.ac b/configure.ac

index 1aac65f4d85b9974adc5ba3e5196b00be5d279f1..891610e14490a4e78e1e95e63c18d9c6a9a8afb4 100644

--- a/configure.ac

+++ b/configure.ac

@@ -488,6 +488,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])

 AM_CHECK_CMOCKA

 AM_CHECK_UID_WRAPPER

 AM_CHECK_NSS_WRAPPER

+AM_CHECK_PAM_WRAPPER

 AM_CHECK_TEST_CA

 # Check if the user wants SSSD to be compiled with systemtap probes

diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh

index 5906e5332ba99ce137174f3630e269b8c561f996..c04c7aab03f78185d96000142a71001ab52a66a7 100644

--- a/contrib/ci/deps.sh

+++ b/contrib/ci/deps.sh

@@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then

         pyldb

         rpm-build

         uid_wrapper

+        pam_wrapper

         python-requests

         curl-devel

         krb5-server

@@ -117,6 +118,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then

         fakeroot

         libnss-wrapper

         libuid-wrapper

+        libpam-wrapper

         python-pytest

         python-ldap

         python-ldb

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in

index 5ebd51f41f60cfdcd1d65c1c58dea4b296fd1ed1..26fae6d68dbe4d14f85ddf34bb4871bc34db3b3d 100644

--- a/contrib/sssd.spec.in

+++ b/contrib/sssd.spec.in

@@ -237,6 +237,7 @@ BuildRequires: selinux-policy-targeted

 BuildRequires: libcmocka-devel >= 1.0.0

 BuildRequires: uid_wrapper

 BuildRequires: nss_wrapper

+BuildRequires: pam_wrapper

 # Test CA requires openssl independent if SSSD is build with NSS or openssl,

 # openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.

diff --git a/src/external/cwrap.m4 b/src/external/cwrap.m4

index b8489cc765f34f3bc6ad4e4b7e69626f6ea8060e..6e3487c13f734e311a2262b0f71495167489c710 100644

--- a/src/external/cwrap.m4

+++ b/src/external/cwrap.m4

@@ -28,3 +28,8 @@ AC_DEFUN([AM_CHECK_NSS_WRAPPER],

 [

     AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)

 ])

+

+AC_DEFUN([AM_CHECK_PAM_WRAPPER],

+[

+    AM_CHECK_WRAPPER(pam_wrapper, HAVE_PAM_WRAPPER)

+])

diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4

index 60a7bf306ddefd748cf9bac62d3767e7512b6d64..c14f66978b8087586cf1c5ac2d60a07e4f90d45d 100644

--- a/src/external/intgcheck.m4

+++ b/src/external/intgcheck.m4

@@ -22,6 +22,7 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [

     if test x"$enable_intgcheck_reqs" = xyes; then

         SSS_INTGCHECK_REQ([HAVE_UID_WRAPPER], [uid_wrapper])

         SSS_INTGCHECK_REQ([HAVE_NSS_WRAPPER], [nss_wrapper])

+        SSS_INTGCHECK_REQ([HAVE_PAM_WRAPPER], [pam_wrapper])

         SSS_INTGCHECK_REQ([HAVE_SLAPD], [slapd])

         SSS_INTGCHECK_REQ([HAVE_LDAPMODIFY], [ldapmodify])

         SSS_INTGCHECK_REQ([HAVE_FAKEROOT], [fakeroot])

diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am

index 6f7605bd4edbf26ef3ce97acea74fc92216eede9..bb3a7f01ae4f79fa05cd661993e8f9872ecd0450 100644

--- a/src/tests/intg/Makefile.am

+++ b/src/tests/intg/Makefile.am

@@ -105,13 +105,29 @@ passwd: root

 group:

 	echo "root:x:0:" > $@

+PAM_SERVICE_DIR=pam_service_dir

+pam_sss_service:

+	$(MKDIR_P) $(PAM_SERVICE_DIR)

+	echo "auth     required       $(DESTDIR)$(pammoddir)/pam_sss.so"  > $(PAM_SERVICE_DIR)/$@

+	echo "account  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@

+	echo "password required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@

+	echo "session  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@

+

 CLEANFILES=config.py config.pyc passwd group

 clean-local:

 	rm -Rf root

 	rm -f $(builddir)/cwrap-dbus-system.conf

-intgcheck-installed: config.py passwd group

+if HAVE_NSS

+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"

+SOFTHSM2_CONF=""

+else

+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"

+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"

+endif

+

+intgcheck-installed: config.py passwd group pam_sss_service

 	pipepath="$(DESTDIR)$(pipepath)"; \

 	if test $${#pipepath} -gt 80; then \

 	    echo "error: Pipe directory path too long," \

@@ -131,12 +147,18 @@ intgcheck-installed: config.py passwd group

 	LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \

 	NON_WRAPPED_UID=$$(id -u) \

 	LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \

+	LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \

 	NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \

 	NSS_WRAPPER_GROUP="$(abs_builddir)/group" \

 	NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \

 	NSS_WRAPPER_MODULE_FN_PREFIX="sss" \

 	UID_WRAPPER=1 \

 	UID_WRAPPER_ROOT=1 \

+	PAM_WRAPPER=0 \

+	PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \

+	PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \

+	PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \

+	SOFTHSM2_CONF=$(SOFTHSM2_CONF) \

 	DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \

 	DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \

 	DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \

diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py

index cf6fff2db7ba9c9c69e1dd9abe5663a02cedd72e..c6d048cd342838fe312287eaffff734e30ba9e1c 100644

--- a/src/tests/intg/test_pam_responder.py

+++ b/src/tests/intg/test_pam_responder.py

@@ -27,31 +27,44 @@ import signal

 import errno

 import subprocess

 import time

-import pytest

+import shutil

 import config

-from util import unindent

+import pytest

+from intg.util import unindent

+from intg.files_ops import passwd_ops_setup

-def format_pam_cert_auth_conf():

+USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,

+             gecos='User for tests',

+             dir='/home/user1',

+             shell='/bin/bash')

+

+

+def format_pam_cert_auth_conf(config):

     """Format a basic SSSD configuration"""

     return unindent("""\

         [sssd]

+        debug_level = 10

         domains = auth_only

-        services = pam

+        services = pam, nss

         [nss]

+        debug_level = 10

         [pam]

         pam_cert_auth = True

+        pam_p11_allowed_services = +pam_sss_service

+        pam_cert_db_path = {config.PAM_CERT_DB_PATH}

         debug_level = 10

         [domain/auth_only]

-        id_provider = ldap

-        auth_provider = ldap

-        chpass_provider = ldap

-        access_provider = ldap

+        debug_level = 10

+        id_provider = files

+

+        [certmap/auth_only/user1]

+        matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*

     """).format(**locals())

@@ -79,6 +92,8 @@ def create_conf_fixture(request, contents):

 def create_sssd_process():

     """Start the SSSD process"""

+    os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]

+    os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]

     if subprocess.call(["sssd", "-D", "-f"]) != 0:

         raise Exception("sssd start failed")

@@ -116,12 +131,41 @@ def create_sssd_fixture(request):

     request.addfinalizer(cleanup_sssd_process)

+def create_nssdb():

+    os.mkdir(config.SYSCONFDIR + "/pki")

+    os.mkdir(config.SYSCONFDIR + "/pki/nssdb")

+    if subprocess.call(["certutil", "-N", "-d",

+                        "sql:" + config.SYSCONFDIR + "/pki/nssdb/",

+                        "--empty-password"]) != 0:

+        raise Exception("certutil failed")

+

+    pkcs11_txt = open(config.SYSCONFDIR + "/pki/nssdb/pkcs11.txt", "w")

+    pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +

+                     "parameters=configdir='sql:" + config.ABS_BUILDDIR +

+                     "/../test_CA/p11_nssdb' " +

+                     "dbSlotDescription='SSSD Test Slot' " +

+                     "dbTokenDescription='SSSD Test Token' " +

+                     "secmod='secmod.db' flags=readOnly)\n\n")

+    pkcs11_txt.close()

+

+

+def cleanup_nssdb():

+    shutil.rmtree(config.SYSCONFDIR + "/pki")

+

+

+def create_nssdb_fixture(request):

+    create_nssdb()

+    request.addfinalizer(cleanup_nssdb)

+

+

 @pytest.fixture

 def simple_pam_cert_auth(request):

     """Setup SSSD with pam_cert_auth=True"""

-    conf = format_pam_cert_auth_conf()

+    config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']

+    conf = format_pam_cert_auth_conf(config)

     create_conf_fixture(request, conf)

     create_sssd_fixture(request)

+    create_nssdb_fixture(request)

     return None

@@ -129,3 +173,72 @@ def test_preauth_indicator(simple_pam_cert_auth):

     """Check if preauth indicator file is created"""

     statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")

     assert stat.S_ISREG(statinfo.st_mode)

+

+

+@pytest.fixture

+def pam_wrapper_setup(request):

+    pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")

+    if pwrap_runtimedir is None:

+        raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")

+

+

+def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,

+                           passwd_ops_setup):

+

+    passwd_ops_setup.useradd(**USER1)

+    current_env = os.environ.copy()

+    current_env['PAM_WRAPPER'] = "1"

+    current_env['SSSD_INTG_PEER_UID'] = "0"

+    current_env['SSSD_INTG_PEER_GID'] = "0"

+    current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']

+

+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",

+                               "--action=auth", "--service=pam_sss_service"],

+                              universal_newlines=True,

+                              env=current_env, stdin=subprocess.PIPE,

+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)

+

+    try:

+        out, err = sssctl.communicate(input="111")

+    except:

+        sssctl.kill()

+        out, err = sssctl.communicate()

+

+    sssctl.stdin.close()

+    sssctl.stdout.close()

+

+    if sssctl.wait() != 0:

+        raise Exception("sssctl failed")

+

+    assert err.find("pam_authenticate for user [user1]: " +

+                    "Authentication failure") != -1

+

+

+def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):

+

+    passwd_ops_setup.useradd(**USER1)

+    current_env = os.environ.copy()

+    current_env['PAM_WRAPPER'] = "1"

+    current_env['SSSD_INTG_PEER_UID'] = "0"

+    current_env['SSSD_INTG_PEER_GID'] = "0"

+    current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']

+

+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",

+                               "--action=auth", "--service=pam_sss_service"],

+                              universal_newlines=True,

+                              env=current_env, stdin=subprocess.PIPE,

+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)

+

+    try:

+        out, err = sssctl.communicate(input="123456")

+    except:

+        sssctl.kill()

+        out, err = sssctl.communicate()

+

+    sssctl.stdin.close()

+    sssctl.stdout.close()

+

+    if sssctl.wait() != 0:

+        raise Exception("sssctl failed")

+

+    assert err.find("pam_authenticate for user [user1]: Success") != -1

-- 

2.14.4